How TalentLMS complies with 21 CFR Part 11

The system shall generate accurate and complete copies of records in human readable and electronic form suitable for inspection, review and copying

TalentLMS provides advanced dynamically generated reports that include records of user progress and performance. All reports can be exported in EXCEL format.

11.10 (d)

The system shall limit system access to authorized individuals.

In TalentLMS, all access rights and user permissions are controlled by User Types (i.e., after signing in, users can only access the features available to their assigned User Type). Additional security measures have been taken according to the 21 CFR Part 11 (i.e., enforcing strong passwords, password change upon initial log-in, etc.). Passwords are stored hashed rather than encrypted, so recovering them is impossible.

11.10 (e)

The system shall employ secure, computer-generated date/time stamped audit trails to independently record operator entries and actions that create, modify, or delete electronic records, without obscuring previously recorded information.

All actions performed in TalentLMS are properly recorded (i.e., they all have a timestamp, and they’re displayed on the user’s Timeline). Timelines can be exported in EXCEL format.

11.10 (f)

The system shall enforce required steps and events sequencing, as appropriate (e.g., key steps cannot be bypassed or similarly compromised).

TalentLMS enforces specific steps when applying certain operations. Each operation triggers a standard set of events which are logged and can be reviewed anytime in the future.

11.10 (g)

The system shall ensure that only authorized individuals can use the system, electronically sign a record, access the operations or computer system input or output device, alter a record, or perform the operation at hand.

In TalentLMS, custom User Types are assigned to users to authorize permissions and control their access rights. Branches (i.e., sub-portals) can be used to control which features and information users (i.e., branch members) can access. All user action is recorded and displayed on each user’s Timeline, including any changes made to portal records.

11.10 (h) (1)

The system shall determine, as appropriate, the validity of the source of data input or operational instruction.

TalentLMS can apply restrictions to IP access and file type extensions to control the validity of data sources. An SSL certificate can be provided to ensure all communication is performed over https, thereby eliminating any possibility of unauthorized data modification during transmission. TalentLMS has built-in CSRF filters to defend data against any such attack.

11.50 (a) (1), (2), (3)

The system shall ensure all signed electronic records contain the printed name of the signer, date/time signature was executed, and the meaning associated with the signature (e.g. approval, responsibility, authorship).

The TalentLMS Timeline records any action, the date and time it’s executed, as well as the name and username of the associated user.

11.50 (b)

The system shall ensure the three signature elements (described in the previous requirement) of a signed electronic record are a part of any human readable form of the electronic record (e.g. electronic display or printout).

The three signature elements (i.e., action, date/time, user/username) are included in all the TalentLMS audit trail reports.

11.70 (a)

The system shall ensure electronic signatures are linked to their respective electronic records and that these electronic signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

In TalentLMS, an electronic signature is linked to and protected by the respective username and password. Electronic records cannot be manipulated, copied, transferred or falsified.

11.100 (a)

The system shall ensure that each electronic signature is unique to one individual and shall not be reused by, or reassigned to, anyone else.

TalentLMS enforces unique usernames.

11.200 (a) (1)

The system shall employee at least two distinct identification components such as an identification code and a password.

TalentLMS uses a login/pass combination for authorization. The password can be “hardened” to make guessing it through a brute-force attack impossible.

11.200 (a) (1) (i)

The system require the use of all electronic signature components for the first signing during a single continuous period of controlled system access.

In TalentLMS, RAII sessions begin with a digital signing in the form of a login/pass combination. The validity of the session is ensured upon each request.

11.200 (a) (1) (i)

The system shall allow all subsequent signing during the same continuous period of controlled system access to use at least one electronic signature component.

Following the first request, TalentLMS keeps using the originating user ID of each request to maintain session security. Additionally, CSRF filters are used to prevent any unauthorized access attempts through the user's active session.

11.200 (a) (1) (i)

The system shall ensure users are timed out during periods of specified inactivity.

In TalentLMS, user time-out is applied automatically by the system.

11.200 (a) (1) (ii)

The system shall require the use of all electronic signature components for the signings not executed during a single continuous period of controlled system access.

TalentLMS users must re-authenticate themselves in each non-continuous period of system access by using their electronic signature components.

11.200 (a) (3)

The system shall require all attempted uses of an individual’s electronic signature by anyone other than its genuine owner to require collaboration of two or more individuals.

No sharing of electronic signatures is permitted in TalentLMS, except for use by the global administrator.

11.300 (a)

The system shall require that each combination of identification code and password is unique, such that no two individuals have the same combination of identification code and password.

TalentLMS does not allow for any identification code (username) to be duplicated so that the combination of identification code and password is always unique.

11.300 (b)

The system shall require that passwords be periodically revised.

TalentLMS can enforce password change after a configurable amount of time.

11.300 (d)

The system shall employ transaction safeguards preventing the unauthorized use of password and/or identification codes.